integrated srtool for deterministic runtime builds

CorruptedAesthetic · CorruptedAesthetic · commit ee1ecd60287a · 2025-05-21T23:51:06.000-04:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -48,6 +48,24 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=sha,format=long
       
+      # ------------------------------------------------------------
+      # Build the runtime deterministically with srtool and capture
+      # its SHA-256 so we can inject it as an OCI label.
+      # ------------------------------------------------------------
+      - name: Build runtime with srtool & extract Wasm hash
+        id: wasm
+        run: |
+          set -euo pipefail
+          echo "🛠️  Running srtool to build compact runtime…"
+          HASH=$(docker run --rm \
+            -v "${PWD}":/build \
+            --workdir /build \
+            paritytech/srtool:1.84.1 \
+            bash -c "/srtool/build >/dev/null 2>&1 && sha256sum runtime/fennel/target/srtool/release/wbuild/fennel-node-runtime/fennel_node_runtime.compact.wasm | awk '{print \"0x\"\$1}'")
+          echo "WASM_HASH=$HASH" >> $GITHUB_ENV
+          echo "hash=$HASH" >> $GITHUB_OUTPUT
+          echo "✅ Deterministic Wasm hash: $HASH"
+      
       # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
       # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
@@ -58,6 +76,8 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            WASM_HASH=${{ env.WASM_HASH }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           
@@ -66,8 +86,10 @@ jobs:
         run: |
           mkdir -p ./artifacts
           echo "Image name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" > ./artifacts/image-info.txt
-          echo "Tags: ${{ steps.meta.outputs.tags }}" >> ./artifacts/image-info.txt
-          echo "Created: $(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> ./artifacts/image-info.txt
+          echo "Tags:      ${{ steps.meta.outputs.tags }}" >> ./artifacts/image-info.txt
+          echo "Wasm hash: ${{ env.WASM_HASH }}"          >> ./artifacts/image-info.txt
+          echo "Digest:    ${{ steps.build-and-push-image.outputs.digest }}" >> ./artifacts/image-info.txt
+          echo "Created:   $(date -u +\"%Y-%m-%dT%H:%M:%SZ\")" >> ./artifacts/image-info.txt
           
       - name: Upload Docker image info artifact
         uses: actions/upload-artifact@v4
diff --git a/Dockerfile b/Dockerfile
@@ -15,6 +15,27 @@ FROM base AS tester
 COPY . .
 RUN cargo test --features=runtime-benchmarks
 
+# --- New stage: deterministic WASM runtime build using srtool -----------------
+FROM docker.io/paritytech/srtool:1.84.1 AS srtool
+
+# The srtool image expects the sources to live in /build
+WORKDIR /build
+
+# Copy the full workspace so that frame pallets & dependencies are available
+COPY --chown=builder:builder . .
+
+# Tell srtool which crate contains the runtime. Adjust these paths/names if you
+# ever rename the runtime crate or move it to another folder.
+ENV RUNTIME_DIR=runtime/fennel
+ENV PACKAGE=fennel-node-runtime
+
+# Build the runtime in deterministic mode. The build script lives inside the
+# image under /scripts/build
+RUN /srtool/build
+
+# The compact deterministic wasm will be available below.
+ENV DETERMINISTIC_WASM_PATH=target/srtool/release/wbuild/fennel-node-runtime/fennel_node_runtime.compact.wasm
+
 # Builder stage - build with cached dependencies
 FROM base AS builder
 COPY --from=planner /fennel/recipe.json recipe.json
@@ -28,6 +49,14 @@ FROM docker.io/parity/base-bin:latest
 # Copy the node binary
 COPY --from=builder /fennel/target/release/fennel-node /usr/local/bin/fennel-node
 
+# Copy the deterministic wasm compiled with srtool (optional but convenient for
+# governance upgrades & CI verification)
+COPY --from=srtool /build/runtime/fennel/target/srtool/release/wbuild/fennel-node-runtime/fennel_node_runtime.compact.wasm /usr/local/bin/fennel_node_runtime.compact.wasm
+RUN test -f /usr/local/bin/fennel_node_runtime.compact.wasm
+
+ARG WASM_HASH=unknown
+LABEL io.parity.srtool.wasm-hash=${WASM_HASH}
+
 USER root
 RUN useradd -m -u 1001 -U -s /bin/sh -d /fennel fennel && \
 	mkdir -p /data /fennel/.local/share && \
